Malware Analysis Report

2024-09-22 13:18

Sample ID 240724-tdv6psvajp
Target Badware Unban.zip
SHA256 f9ca19c8fa421287522b0606e25a97b0e6f9a6737d0021813da685a36d3151de
Tags
cerber discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9ca19c8fa421287522b0606e25a97b0e6f9a6737d0021813da685a36d3151de

Threat Level: Known bad

The file Badware Unban.zip was found to be: Known bad.

Malicious Activity Summary

cerber discovery ransomware

Cerber

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Network Configuration Discovery: Internet Connection Discovery

Suspicious behavior: LoadsDriver

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious behavior: MapViewOfSection

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-24 15:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 15:56

Reported

2024-07-24 15:59

Platform

win10-20240404-en

Max time kernel

134s

Max time network

139s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Badware Unban.zip"

Signatures

Cerber

ransomware cerber
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\IME\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\IME\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\IME\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\IME\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\IME\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\IME\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\IME\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\IME\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\IME\AMIDEWINx64.EXE N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe N/A
N/A N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\IME\amigendrv64.sys C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\IME\AMIDEWINx64.EXE C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe N/A
File created C:\Windows\IME\amifldrv64.sys C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a5060050e2ddda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\discord.com\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\discord.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\discord.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomai = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomai = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\discord.com\NumberOfSubdo = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\discord.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c2fcd850e2ddda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{60E74F8B-6E86-448E-9D02-C53D614D3A88} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 660 wrote to memory of 4952 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 4952 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 5052 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 5052 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 4696 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 4696 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 4384 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 4384 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 4384 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4384 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 2912 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 2912 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2912 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 1700 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 1700 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1700 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 2896 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 2896 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2896 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 3024 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 3024 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3024 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 2996 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 2996 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2996 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 4296 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 4296 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 4296 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4296 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 2784 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 2784 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 2784 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2784 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 3732 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 3732 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 3732 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3732 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 4064 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 4064 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 4064 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4064 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 3076 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 3076 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 3076 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3076 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 1684 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 1684 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 1684 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1684 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 4988 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 4988 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4988 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 3988 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 3988 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 3988 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3988 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 660 wrote to memory of 168 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 168 N/A C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Badware Unban.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Badware Unban\Badware Unban\PermaUnbanKey.txt

C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe

"C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 06

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumperClient.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im ProcessHacker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im idaq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im idaq64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FiddlerEverywhere.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im de4dot.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Cheat Engine.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im MugenJinFuu-i386.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-i386.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTP Debugger Windows Service (32 bit).exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im x64dbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im x32dbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start https://discord.gg/badware

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mode con: cols=69 lines=18

C:\Windows\system32\mode.com

mode con: cols=69 lines=18

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start https://discord.gg/badware

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im epicgameslauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im steamservice.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im steamservice.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im steam.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteClient-Win64-Shipping_BE.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FortniteLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im UnrealCEFSubProcess.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im UnrealCEFSubProcess.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im CEFProcess.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im CEFProcess.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BEService.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BEServices.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BattleEye.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im smartscreen.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im smartscreen.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im dnf.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im dnf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im DNF.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im DNF.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im CrossProxy.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im CrossProxy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im BackgroundDownloader.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im BackgroundDownloader.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im TXPlatform.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im TXPlatform.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OriginWebHelperService.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OriginWebHelperService.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Origin.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Origin.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OriginClientService.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OriginClientService.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OriginER.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OriginER.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OriginThinSetupInternal.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OriginThinSetupInternal.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OriginLegacyCLI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OriginLegacyCLI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Agent.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Agent.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FiveM.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM_ROSLauncher.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FiveM_ROSLauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM_ROSService.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FiveM_ROSService.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /SS %random%%random%-%random%%random%-%random%%random%

C:\Windows\IME\AMIDEWINx64.EXE

C:\Windows\IME\AMIDEWINx64.EXE /SS 219014704-1010819758-3040911093

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /BS %random%%random%-%random%%random%-%random%%random%

C:\Windows\IME\AMIDEWINx64.EXE

C:\Windows\IME\AMIDEWINx64.EXE /BS 219014704-1010819758-3040911093

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /CS %random%%random%-%random%%random%-%random%%random%

C:\Windows\IME\AMIDEWINx64.EXE

C:\Windows\IME\AMIDEWINx64.EXE /CS 219014704-1010819758-3040911093

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /PSN %random%%random%-%random%%random%-%random%%random%

C:\Windows\IME\AMIDEWINx64.EXE

C:\Windows\IME\AMIDEWINx64.EXE /PSN 219014704-1010819758-3040911093

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /SU AUTO

C:\Windows\IME\AMIDEWINx64.EXE

C:\Windows\IME\AMIDEWINx64.EXE /SU AUTO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe C: 1098-5711

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe D: 1530-1506

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe E: 9358-9053

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe F: 2645-3683

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown /r

C:\Windows\system32\shutdown.exe

shutdown /r

Network

Country Destination Domain Proto
N/A 127.0.0.1:49766 tcp
N/A 127.0.0.1:49768 tcp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 f.f.f.f.8.f.2.0.2.c.1.c.3.1.0.9.f.f.f.f.6.9.8.8.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 discord.gg udp
US 162.159.136.234:443 discord.gg tcp
US 162.159.136.234:443 discord.gg tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 234.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
N/A 127.0.0.1:49967 tcp
N/A 127.0.0.1:49969 tcp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 162.159.136.234:443 discord.gg tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/660-0-0x00007FFC8EF20000-0x00007FFC8EF22000-memory.dmp

memory/660-1-0x0000000140000000-0x00000001419DD000-memory.dmp

memory/4348-21-0x0000025329720000-0x0000025329730000-memory.dmp

memory/4348-5-0x0000025329620000-0x0000025329630000-memory.dmp

memory/4348-40-0x00000253269F0000-0x00000253269F2000-memory.dmp

memory/4740-48-0x00000255C52C0000-0x00000255C53C0000-memory.dmp

memory/3476-61-0x000002B30F010000-0x000002B30F110000-memory.dmp

memory/3476-78-0x000002B31F1E0000-0x000002B31F1E2000-memory.dmp

memory/3476-76-0x000002B31F1C0000-0x000002B31F1C2000-memory.dmp

memory/3476-74-0x000002B31F1A0000-0x000002B31F1A2000-memory.dmp

memory/4348-131-0x000002532FBD0000-0x000002532FBD1000-memory.dmp

memory/4348-130-0x000002532FBC0000-0x000002532FBC1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\YWCI917P\favicon[1].ico

MD5 ec2c34cadd4b5f4594415127380a85e6
SHA1 e7e129270da0153510ef04a148d08702b980b679
SHA256 128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7
SHA512 c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

memory/4348-176-0x0000025328860000-0x0000025328862000-memory.dmp

memory/4348-179-0x0000025326CB0000-0x0000025326CB1000-memory.dmp

memory/4348-183-0x0000025326950000-0x0000025326951000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF8E926A7394A6CF95.TMP

MD5 2f74e6528aa126fa0ba1301f34cad2f5
SHA1 11051a2ed65ddb414981c6455a191e9c038a1265
SHA256 c4524440f2d64a01ee50b2edf81282fcaa75e2043bf0e75ab7c8acd58880b440
SHA512 cce6bf1165838de5d515ff7f63e5a7420b589882b86a850d3db74528fae63cd9b6bef4547ea2cda309f482b7457fc057203f0cc05483d3351ef0b17244cedce6

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

MD5 bef2be38dfb2cce9a67c30d11d55a323
SHA1 6585555a3025f57b4af11e457c0f6c98e9b3d973
SHA256 056017e4e57ad60ab9b0ee561a326738115e06f5ef7f6d5df5a499533ba95298
SHA512 5423dd108c9904f549adf806b03c60ac04f70946abaa631ddfb2f167e83d26ab9e1826c7d6c8701a051c5837d04f0f435ae66d74be908f39cd01fcda572e7f96

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

MD5 2f09bdd8cce033a95e1ca7a43ca6871b
SHA1 a4b42ffa5c69773903f6c51e948b6fe324cf2b6e
SHA256 cb824a304f74a19caabdc7a47ca47a5fea4b49c74b23314f0336675a79b344fe
SHA512 2159193a80e83bf43f52dd093b694c6c060b5277ecc7166100632d507f867d48466ceaac6003e22bd60b181b02c3dd00a08bbaf93f4b94788e8601092d4fb834

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

MD5 a6ac1c8126eb760fdb929543583a5614
SHA1 2ff24e9b02cc2bafaf37c02d26b17954260ce6ac
SHA256 645ba737f490f8703fe9654852dd662fb14eae9c91924d3b14b692b76553f126
SHA512 da9fba51300e897cc1fffe18d2a59bc322f725dd2af276b735375e7bba40be212e292495703a29e73fb676027b2e0b590c19749b688f7304b5a9e9e71164cc7e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

MD5 9743d001a231939db2668578122909ae
SHA1 f86b17af01581f3b24254e1a642940335a44cd65
SHA256 cefd5bdb9a0c32e4186f24699659fd517e673a156ebe939ea08f93ade9ae4d9f
SHA512 961b0ed54e7c4a297092c0f710f9ca48e65d685ea2d4e498182b150cbdd2650181fbc31bd0b561850b3d163c58fb81582a54114e4ea725561d675ae3d7eca8f5

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{567AA84F-533A-4CF6-9FA3-0D9B826CFF8D}.dat

MD5 44821ff696c25a6e621ce4b61c2009eb
SHA1 abc43d2017112f74e558c8ddc68515e56f82e2fa
SHA256 7ff25976e0471f2bbb6d26eb14a1983700223aa2755b0e90a603718f7e13d114
SHA512 e2bc734a25ac4aa45a47c2aada978f2780c438c8d1a0af4dcf89e5df3f1a4ca776d866e1490ea089fd51356cb08b0d0ef3d03cc2c7a4105dfc5f1e60d13b3d48

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{1B0A80D2-4DF1-45F1-92AE-FB57BDEF21ED}.dat

MD5 7417ff31ed52281597065836eba42ec3
SHA1 a7c2bf09e018cef4badd7aaa16a28fa1cf206d94
SHA256 7cf0a363f4f5dac2e5ae9ccc3f3f6319d5fd4069219831ed4bdf1d0b2d8d0c50
SHA512 b8cf7446943b30cc20ad6e108dd93450c5f204919b4f15c0a95f0c79b861d449c495a5e97f65b12f7ba80f44931435c52acfdf50dae1b407dda43079263856a8

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 5c450edbfcba23d9d5823a3c6ab7bf7a
SHA1 2ff4b5668bd4be6aedc8e5893794ec1249089cf0
SHA256 fd95ba41619682453d9d0be4424cfba76d6887a272b557131ff4d75379e91fd0
SHA512 2d851f2e43b8c9edb314177602359b5a3f4a7a701fcb95f029d621ec5e985e3c7e7aacc50eabbc19cd4aceecc6dd55dfef869db6d3a1024401fe0e44f112aa3a

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 364632eabbe7468d607ae4b138935d73
SHA1 cf012c18c2e90a8df07279a52f9dba8ee21f79c4
SHA256 31e757b2850d0eae1e1607d2e33322c18863945d13590e4b4f1a4ffed8803b17
SHA512 f19750691799964e70b4a4ccf4f28f3da351ca543ebd9e851fdc7582cfd717a82f0e659a2e4180a24eac091094e67b06895a4c9d76293f69ccb2ad7bb6dcef95

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HPAPK8O7\badware[1].htm

MD5 5d0cdf076380e32997d393ffafbcf15d
SHA1 1c32ffd32cffbff0dbb0f822dd3d61f01594f96a
SHA256 2b493b0cade58cc95181ce03801f89d1a73728e31d3e86448ecad0a28b72dbfd
SHA512 fd3ad3b9266f457eda271fadb9b53563c9a517303130ac585fb79b01974e7af0ad59c74b4e16257a8925275825a4aeb29a9ed34c9e3737cae09ddc136acce690

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TEB8C3M0\sentry.81211d7be592cb765013[1].js

MD5 d3917845ce57fa0d2794158cd2cba9fd
SHA1 aabaf69aad8c3bcf602057c6a48b4b80a2d88924
SHA256 46d2247fdfb458e1d98d797ff4da25ceab2a45753dae660db948e502ba7c8eb5
SHA512 49c6e5843a97d1e21f8d06eaadc2b727fdc45948dcf4ce84ee92f5a472323216edd680f244505bb2e4a28bc6dc7b293e2b3581330e25659abd692624f5c71996

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TEB8C3M0\webMinimal.67bd8e42ef1b431e9c46[1].js

MD5 b688cf349ec1d92ed1122b360f73b36b
SHA1 99d488d6a9c74ed5fc78199c14d8523dde2c4603
SHA256 50b88032e2e1eab80ebb50f5c871a3aeecff26c585e65b0c671d7751bc0027cc
SHA512 13b77de60a1ea4662ea848be2d274e85763ecba22402813e57f2fc00f097268249366d832faf01070c4758d65225ad63704b8a953619fdfc61332c934f570473

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\sbxdpz5\imagestore.dat

MD5 86a98be9e3f04f67a7b8094ebfe579bc
SHA1 bc16f84be59f10fc547c1d66d32fe251a615bb3e
SHA256 b9216cb80a5a97d3c3dc3a4406ea67f605e6ba3c9b90a9d643a79333a99e9e79
SHA512 409a3cf43ab2bd40532f2cad28c9cabeb942f481a2f615d40b70797b6ea86a9047c6873d0e9ba0017da94d5c5a4394a2c345aa4ad8d69a7ee431b96e7991514d

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\8234e0a75aa9afb205bd[1].woff2

MD5 281bba49537cf936d1a0df10fb719f63
SHA1 4085ad185c5902afd273e3e92296a4de3dc19edd
SHA256 b78fb569265b01789e7edd88cfe02ecb2c3fee5e1999678255f9b78a3b2cc4e8
SHA512 af988371db77831f76edf95a50b9ddf1e957f0230404c8307914f11211e01cc95c61e0768d55aa4347f24e856d226f7e07ac21c09880e49dbd6346d1760b8bff

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\ecff74bf4394e6e58dd1[1].woff2

MD5 7f63813838e283aea62f1a68ef1732c2
SHA1 c855806cb7c3cc1d29546e3e6446732197e25e93
SHA256 440ad8b1449985479bc37265e9912bbf2bf56fe9ffd14709358a8e9c2d5f8e5b
SHA512 aaea9683eb6c4a24107fc0576eb68e9002adb0c58d3b2c88b3f78d833eb24cecdd9ff5c20dabe7438506a44913870a1254416e2c86ec9acbbcc545bf40ea6d48

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\c1b53be672aac192a996[1].woff2

MD5 3d6549bf2f38372c054eafb93fa358a9
SHA1 e7a50f91c7ec5d5d896b55fa964f57ee47e11a1b
SHA256 8e401b056dc1eb48d44a01407ceb54372bbc44797d3259069ce96a96dfd8c104
SHA512 4bde638a4111b0d056464ce4fd45861208d1669c117e2632768acd620fcd924ab6384b3133e4baf7d537872166eb50ca48899b3909d9dbf2a111a7713322fad4

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\QYZUJDJO\discord[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TEB8C3M0\69646.e343da659998798a3c32[1].css

MD5 6fcaa169ec2157ddb48dfb1b28c7a091
SHA1 46df2be34ef4857fd698659828e6790f0d35499f
SHA256 2a2cc411e46ae60d90268d35881413c63ec33b513eecc24e6a0ab164e128cc3f
SHA512 73557657b6e12ae32becb8419e1dd8ca7fa1b5e108cd2015e1155b95dc771b74be472d8f5157cfc5097a9c4db5bddff35fcb1ef3a96bba489c15c33e787c2eb8

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\db0a7b5459a233f1f6c0[1].woff2

MD5 17bf6b1c912399ef0f05742315932aae
SHA1 58a7e8603e5315a4686c0eec407b3867a13618fa
SHA256 8957b06e2baed65915fa19cdc3fb3dc48b9e94898b922674f6b7a1875199f466
SHA512 10059e3cb8acc88d1adf39fee094c2e960c9426176ee52d63052693d77e2458150c17a5c288b6083cdd6219b22a8b86decc67740bd8af9538003856143700ede

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\0fb198ed8281d10bac11[1].woff2

MD5 a6f145c7d25de52895579fad8b45265b
SHA1 d66c7d9b68a2a9a06beb009ef51081f6b2e3ebe6
SHA256 f7e3571c1b8df4df3279a577718e545289a89501fcd0073bebbee8df7e8a06c7
SHA512 d56f8509a083079fe3953a44997a115a008b0e088412d966a766ed621c76c6f69d92cb4650d8630b4eefc8b0935efd616a2dc5dc68148a4fe297a342b10b85dd

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\6df261c61450af10af2f[1].woff2

MD5 f5aba5511523dcae97748a1b35bbffe8
SHA1 cc89cd152b4e036ccc2ff1b80d17fe4fe7e678cc
SHA256 80ea5f1aabbe41c65a0352b56d2be8c409d44b8ab475a14997b7d9986de0029b
SHA512 6fa08d14177558a5af176a4698fcdad42111b1d83423ca200257a71eaaebcc38a9ec777dcca7c7612d11c40c51bf6f5df0ec28c2c63c187b13fb4fd4247e87b0

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\b84ef5d4aa22d54ea96e[1].woff2

MD5 412f5d9534ce2a2e1a1ae9b746bca5b5
SHA1 4a38e0093c04b96ee310b8a79f6d83d6165a3681
SHA256 4a8fe66a26e23c87354c593a99f983e37f14bf3b925b3f0f0f8665e32455f016
SHA512 aa8852ca3a2d63a443fe40d15209f1b53da913d2cc8c9275dd6338ea9f8108464e724182b4d021219ab75ef1195dd90c4a63f81fe033e4890b7d7f1d32b20391

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\e5895f33d25eae65caf5[1].woff2

MD5 d9b0aabb79e7d8b3b14789ebd534f158
SHA1 223672a3e35d262163e9cd58433b1579658d5a43
SHA256 0c340de794334fde48397d59cc9b31f7eb125d2ab21cac618f6d40196d489b30
SHA512 b00f325cf4b7f8d9117e1f255ec9fac4ec9977f891e40aec00a323dea6a524ea7f5e6b8eb9575e08428c2c7055c637d24cd7e3b31bee1f0e9e8165d5dbde077f

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\48a594e29497835802fe[1].woff2

MD5 7cf1be7696bf689b97230262eade8ad8
SHA1 8eb128f9e3cf364c2fd380eefaa6397f245a1c82
SHA256 a981989aee5d4479ffadf550d9ecff24a4ac829483e3e55c07da3491f84b12ba
SHA512 7d7c7dc08001079d93ef447122dee49abd2b7a84d1619a055ff3e7ec0009261ab6add018560bfd82ed22b29c1915bfd059f02cd83fed2e15e9af05a5d0654e06

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\1622f3625fb3a6eac2f2[1].woff2

MD5 a2a248f78d12dd5b842930bda7036302
SHA1 6b5b9780ec7b1a10318e31c80607275577e513df
SHA256 811563f8ea187c8ca0a57007713fe8d21701acdbd6226083713da4b49a7495f2
SHA512 2c138b4a69583c1e3e14455271783e10e3d13c2f8eb78a4a06ce9a7a270893c37be7d70a4a192a06f3c1d9a858516d05f18f778a0a1cb4e4bafea30e5656e0ac

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\475016f7a9e3e75b3670[1].woff2

MD5 d6db7b5639c7ed70f8b582984dda6c62
SHA1 bfc61b049ffacbfeee9060db12fddb11784a877b
SHA256 3cb7a73b454fdc7290f8188282def2e97a24ceef1312295730a5bff2ef9e96c6
SHA512 85714e0793c935d7a3cd8706fd12f92a42e9670842fff87cf9d82c491894d920b76fc5e595bafb6e50426e458421c103a08b23c219b5f3674afe92ea4570e3f6

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\f5b8aa3411dfc24ff2e6[1].woff2

MD5 f9bf0f65660d23c6f359d22720fc55ae
SHA1 9fa19ab7ea56165e2138c443816c278d5752dd08
SHA256 426ae06cd942849ab48b84c287c760f3701b603ebcc5c9aaa4a89923ef5f058e
SHA512 436019a96e47848533684a34e3c360f516c29b2aa2473d0a05d50c0fd3ad19eac39df2de12b6ec1c6760493efb5abf58e6a54d32080226fa1765983435634d88

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\914a97ac83e173c66dd7[1].woff2

MD5 e55012627a8f6e7203b72a8de730c483
SHA1 4c43b88403ec9c3053d74b4c502bcaf99f594c57
SHA256 8390503760c8f26556001a28e7d95e4a237a4780e7ceeebf0853ce252fde4ba8
SHA512 05bfb6311b7f78f8f85e43f3c9c87447138237b8897c68effa4c877509296f0a7252070f8bba79c6561ff91c6759058f0da5a10c1db19c1ff0443fee49bf62a5

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\b8cfca9c9b10ffcc6e53[1].woff2

MD5 05422eb499ddf5616e44a52c4f1063ae
SHA1 eab3a7e41cbf851df0f0962ed18130cf89673a65
SHA256 c1d71bd80fc3ecf5ef1a97092a456a046d55fd264be721f2a25be3e59ccb8b2b
SHA512 3722a6335ba80c3336d199a449026456c89ffe521ec5ba9e06a7cebf0b19d5054ca87f3b9be4683e189c4c1f9b898ef397c65c8f0b3556787fa2e7cd3d5255fa

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\452d7be36bf4b23241bd[1].woff2

MD5 db985aaa3c64f10506d96d876e350d47
SHA1 aad4a93575e59643fed7617e2feb893dd763d801
SHA256 234feb9a8a2c759d00a4959506a3b9cb94c772186a2d117aed973347c7ef1891
SHA512 300d0d35ebb9e27d66489ffb3e5502a4dcd3af032fb0f672d4f004e3846fb795772b6938c99dafed6fad0c25da8412d6f6a7b0221eb2540e84527703db5b7073

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\6daadfe6e5f14c9213b7[1].woff2

MD5 980082c4328266be3342a03dcb37c432
SHA1 4179f54fd61655067a20a2b37224fde3d8e5024e
SHA256 1b03dae61d613604b3d41d61cc4bc2e05f19bd27c7ff2638242f9036f2b8794e
SHA512 4495e9336ecb6c1757d856e7db9233aeea5faac126b8e876ab1f98dd2b4dfa390a7f6667691cfa0a9137f1960eccd8b5db0b4bd47e9bd8f552eda67e5de4b16a

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\ef2325329f07b2420f27[1].woff2

MD5 1ac46f07e44e1d6020a4b6b19e34c844
SHA1 56c37396425ff215805fee12b3fd1a0af65d9725
SHA256 67165f276046f293a75296f6193cf19607ea65e52988babf95b77f4a7fa2f099
SHA512 996e7f9634850195de479c81f9fd2eeddcf3a1ffb327d84fbac6385802a4ff1cf23b114aeaa2a94e8c0cad15a6a25efa708860d6da8d82c50e77ac21b68ed208

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\8bd8143eff37936894aa[1].woff2

MD5 d295c40af6fca08f8e0eb5425351f431
SHA1 1d246a1e54b3a1f2428883d8c911af73eddffca6
SHA256 5d225b25d66b30563a00f395476ed701130d3f749620a63531cea09fc537164e
SHA512 9c9f23cb775244eb10f83f964b36224ad2cd5152cfa5ab82928f68ed1cb49be4156f887cc40a857b72efd0833014e4366bf136689a717dd58828a1b195ed486e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\b21c5111a12372139409[1].woff2

MD5 ff5eccde83f118cea0224ebbb9dc3179
SHA1 0ad305614c46bdb6b7bb3445c2430e12aecee879
SHA256 13da02ce62b1a388a7c8d6f3bd286fe774ee2b91ac63d281523e80b2a8a063bc
SHA512 03dc88f429dd72d9433605c7c0f5659ad8d72f222da0bb6bf03b46f4a509b17ec2181af5db180c2f6d11c02f39a871c651be82e28fb5859037e1bbf6a7a20f6b

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\1222195a37d6dd10994e[1].woff2

MD5 71d3e9dc2bcb8e91225ba9fab588c8f2
SHA1 d7e38ee4c245f64b78eb18e6ecd7b9f53b3254a8
SHA256 ae99aaede2f373187a4fe442a2cb0ab9c2945efbab01cf33e01be517c0c4f813
SHA512 deda05ebd575d413aa2277876991ecc2ea238907390753485ba1b487ede2f432363c46daad5f3f240eaaf8d3258150829a3ae3d2d9c420ea59567cfd440361a6

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

MD5 742ec2b92a512e0fb8a416c81ec715de
SHA1 2e331cd7063b583f3f1449cf734841cb5b1cff94
SHA256 85adba7cbdfc07164a96d2f1e7b233da6dee7bc1ab621f59a1218ff75f3c53cb
SHA512 3832f8f4927289ab79668c5f8d939075d04c513f965ddfd0fe58953fb55b984596d97da63d09d4cdee9ffb4d773cf081d97b548c86dfb207bd1311f260f6ca0e

C:\Windows\IME\AMIDEWINx64.EXE

MD5 64ae4aa4904d3b259dda8cc53769064f
SHA1 24be8fb54afd8182652819b9a307b6f66f3fc58d
SHA256 2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4
SHA512 6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db